Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6a31d2be6ba21c7…

MALICIOUS

PDF

76.3 KB Created: 2021-03-10 15:20:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 128dd104b9f35669db479373b6b1d701 SHA-1: e6232775fce752246618967f42afd038cf572053 SHA-256: c6a31d2be6ba21c73d1e44166e60b03d9d45e83ba282a352899cabfd37ff37e3
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by a ML classifier and ClamAV. It contains numerous external links, including a link farm and an SEO redirector, suggesting an attempt to direct users to malicious websites. The document body, though heavily obfuscated, appears to be a lure related to learning to draw, which is a common tactic for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8390

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=aprenda+a+desenhar+guia+completo+pdf PDF link annotation
    • http://xuwuvewisin.mypressonline.com/56675670738.pdfIn PDF document text
    • http://mugukix.mygamesonline.org/78674477109.pdfIn PDF document text
    • https://gujavaluzosozu.weebly.com/uploads/1/3/4/0/134013303/nolobibim_mozidukudorujej_zimoraxibi.pdfIn PDF document text
    • http://sagebiwepul.22web.org/26040283213.pdfIn PDF document text
    • http://sutovuresas.mygamesonline.org/69757540067.pdfIn PDF document text
    • http://webcam-model.online/is_the_smith_and_wesson_380_bodyguard_a_good_gunj56jg.pdfIn PDF document text
    • https://cdn.sqhk.co/wufevinek/Cpji3Hj/ice_cream_van_delivery_uk.pdfIn PDF document text
    • https://cdn.sqhk.co/kawiwitifa/0gihgih/queen_s_quest_tower_of_darkness_walkthrough.pdfIn PDF document text
    • http://straponartist.com/48130544021y6br0.pdfIn PDF document text
    • http://dasiwujupuna.sportsontheweb.net/35354513322.pdfIn PDF document text
    • https://reborugavuzak.weebly.com/uploads/1/3/4/7/134736286/1035373.pdfIn PDF document text
    • https://gavuwili.weebly.com/uploads/1/3/1/0/131070236/dizavodusolim.pdfIn PDF document text
    • https://cdn.sqhk.co/fidapulano/hciaoch/47905634220.pdfIn PDF document text
    • http://feporerapupanun.iblogger.org/zuzufe.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://jipajarukureji.rf.gd/how_to_contact_hp_service_center.pdfIn PDF document text
    • https://s3.amazonaws.com/dobesogum/the_hobbit_3_hindi_movie_download_filmywap.pdfIn PDF document text
    • https://s3.amazonaws.com/wudibirewuduto/hco3_formal_charge.pdfIn PDF document text
    • https://s3.amazonaws.com/gimisorixosu/weather_report_isanti_mn.pdfIn PDF document text
    • http://vafitinupisojud.onlinewebshop.net/lol_para_colorear.pdfIn PDF document text
    • https://s3.amazonaws.com/mekonulegipero/interim_report_business_definition.pdfIn PDF document text
    • https://s3.amazonaws.com/dugibabafod/17203218789.pdfIn PDF document text
    • http://likefiradoweze.rf.gd/properties_of_exponents_worksheet_simplify_the_expression.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e481.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE481 5440 bytes
SHA-256: 970da02d1a4d885c3761fbc0a38d28ff975275f2145ddf0204a78d2a8da1fa2c
font_01_sfnt_off0000f6ce.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6CE 12968 bytes
SHA-256: 0094b18f3aa7be3de0a64db2d8bf14122659ad3d5d4d4230814fb1f1c77dbeb1
font_02_sfnt_off00011f34.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11F34 4324 bytes
SHA-256: 1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361

Open this report in the interactive analyzer, or submit your own file for analysis.